Copilot Studio security & governance (official)
The official control set for governing Copilot Studio at enterprise scale: data policies/DLP, Purview & Sentinel auditing, environment routing, managed environments, CMK and autonomous-agent governance — with the KVKK angle.
This is a summary with a canonical link to the original Microsoft resource; up-to-date content lives at the source. — Microsoft Learn.
Standing up an agent is easy; governing it safely, predictably and auditably is the real work. Microsoft’s official security & governance doc lists concrete, tenant-wide controls you can apply.
Key controls:
- Data policies / DLP: govern maker & user authentication, knowledge sources, connectors/actions/skills, HTTP requests, channel publication and triggers.
- Purview audit logs: admins get full visibility into maker activity in Microsoft Purview.
- Microsoft Sentinel: monitoring and alerting on agent activity.
- Environment routing & managed environments: a safe build space for makers; per-environment policy.
- Autonomous-agent governance: constrain trigger-based agent capabilities with data policies (against data exfiltration).
- CMK (customer-managed keys), Customer Lockbox and restricting data movement outside the US.
- Admins can turn off publishing of generative-AI agents tenant-wide.
KVKK angle: geographic data residency + Purview auditing + DLP masking are cornerstones of KVKK/EUDB readiness. Honest caveat: verify “adequacy” and your data-processing location for your own scenario. This page is the official basis of the site’s “Governance & KVKK Starter Kit.”